Ask Your Question

Offloading SSL to Amazon ELB for PuppetDB

asked 2013-08-13 21:26:25 -0600

I'm setting up an Elastic Load Balancer to handle the SSL for two PuppetDB nodes (for high availability).

I'm using one of our existing wildcard SSL certificates (let's call it * for this discussion), but the puppet master doesn't like it, even though it's a Thawte-issued certificate. It looks like it's unable to find the CA cert to verify it:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for <a href=""></a> to PuppetDB ...
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2013-08-14 08:43:00 -0600

updated 2013-08-15 06:48:52 -0600

The Puppet master expects to have the certificate for PuppetDB be signed by its own CA, it doesn't actually 'trust' public certificates since the security requirements are more private in general. So you will need to generate this yourself on the puppetmaster, with something like:

$ sudo puppet cert generate myexamplehostname

And then load up the generate private key, public certificate and in the Certificate Chain use the certificate supplied by the command:

$ sudo puppet master --configprint cacert

The problem or deficiency in using the ELB service for SSL is that it doesn't support client based SSL authentication, which ... (more)

edit flag offensive delete link more


Hi Ken, Thanks for your answer - I was hoping there'd be something like a "--trust-root-CAs" flag to pass to puppet master, but it appears not.

egeland gravatar imageegeland ( 2013-08-14 18:24:52 -0600 )edit

I knew about generating certs from the puppet CA - I was hoping to reuse the wildcard cert rather than go that route, but you've clarified the situation and it ...(more)

egeland gravatar imageegeland ( 2013-08-14 18:24:56 -0600 )edit

Anyway, thanks for your answer! :) Cheers, Frode PS - hey puppetlabs, what's with the tiny character limit on comments?? O_o

egeland gravatar imageegeland ( 2013-08-14 18:25:58 -0600 )edit

Well, the master has to act as its own CA by design for client auth - this is not a traditional web gui app, so we can't think like that ...(more)

ken gravatar imageken ( 2013-08-15 06:48:03 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2013-08-13 21:26:25 -0600

Seen: 680 times

Last updated: Aug 15 '13